6 files changed, 46 insertions, 12 deletions

diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
index c4dbe6f7cdae..1129c7550a48 100644
--- a/Documentation/userspace-api/spec_ctrl.rst
+++ b/Documentation/userspace-api/spec_ctrl.rst
@@ -28,18 +28,20 @@ PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
 which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
 the following meaning:
 
-==== ===================== ===================================================
-Bit  Define                Description
-==== ===================== ===================================================
-0    PR_SPEC_PRCTL         Mitigation can be controlled per task by
-                           PR_SET_SPECULATION_CTRL.
-1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is
-                           disabled.
-2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is
-                           enabled.
-3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
-                           subsequent prctl(..., PR_SPEC_ENABLE) will fail.
-==== ===================== ===================================================
+==== ====================== ==================================================
+Bit  Define                 Description
+==== ====================== ==================================================
+0    PR_SPEC_PRCTL          Mitigation can be controlled per task by
+                            PR_SET_SPECULATION_CTRL.
+1    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
+                            disabled.
+2    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
+                            enabled.
+3    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
+                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
+4    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
+                            cleared on :manpage:`execve(2)`.
+==== ====================== ==================================================
 
 If all bits are 0 the CPU is not affected by the speculation misfeature.
 
@@ -92,6 +94,7 @@ Speculation misfeature controls
    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
 
 - PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
                         (Mitigate Spectre V2 style attacks against user processes)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 01874d54f4fd..2da82eff0eb4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -798,15 +798,25 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
                 if (task_spec_ssb_force_disable(task))
                         return -EPERM;
                 task_clear_spec_ssb_disable(task);
+                task_clear_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         case PR_SPEC_DISABLE:
                 task_set_spec_ssb_disable(task);
+                task_clear_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         case PR_SPEC_FORCE_DISABLE:
                 task_set_spec_ssb_disable(task);
                 task_set_spec_ssb_force_disable(task);
+                task_clear_spec_ssb_noexec(task);
+                task_update_spec_tif(task);
+                break;
+        case PR_SPEC_DISABLE_NOEXEC:
+                if (task_spec_ssb_force_disable(task))
+                        return -EPERM;
+                task_set_spec_ssb_disable(task);
+                task_set_spec_ssb_noexec(task);
                 task_update_spec_tif(task);
                 break;
         default:
@@ -885,6 +895,8 @@ static int ssb_prctl_get(struct task_struct *task)
         case SPEC_STORE_BYPASS_PRCTL:
                 if (task_spec_ssb_force_disable(task))
                         return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+                if (task_spec_ssb_noexec(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
                 if (task_spec_ssb_disable(task))
                         return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
                 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 90ae0ca51083..58ac7be52c7a 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -255,6 +255,18 @@ void arch_setup_new_exec(void)
         /* If cpuid was previously disabled for this task, re-enable it. */
         if (test_thread_flag(TIF_NOCPUID))
                 enable_cpuid();
+
+        /*
+         * Don't inherit TIF_SSBD across exec boundary when
+         * PR_SPEC_DISABLE_NOEXEC is used.
+         */
+        if (test_thread_flag(TIF_SSBD) &&
+            task_spec_ssb_noexec(current)) {
+                clear_thread_flag(TIF_SSBD);
+                task_clear_spec_ssb_disable(current);
+                task_clear_spec_ssb_noexec(current);
+                speculation_ctrl_update(task_thread_info(current)->flags);
+        }
 }
 
 static inline void switch_to_bitmap(struct thread_struct *prev,
diff --git a/include/linux/sched.h b/include/linux/sched.h
index f9b43c989577..89ddece0b003 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1453,6 +1453,7 @@ static inline bool is_percpu_thread(void)
 #define PFA_SPEC_SSB_FORCE_DISABLE      4       /* Speculative Store Bypass force disabled*/
 #define PFA_SPEC_IB_DISABLE             5       /* Indirect branch speculation restricted */
 #define PFA_SPEC_IB_FORCE_DISABLE       6       /* Indirect branch speculation permanently restricted */
+#define PFA_SPEC_SSB_NOEXEC             7       /* Speculative Store Bypass clear on execve() */
 
 #define TASK_PFA_TEST(name, func)                                       \
         static inline bool task_##func(struct task_struct *p)           \
@@ -1481,6 +1482,10 @@ TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable)
 TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable)
 TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
 
+TASK_PFA_TEST(SPEC_SSB_NOEXEC, spec_ssb_noexec)
+TASK_PFA_SET(SPEC_SSB_NOEXEC, spec_ssb_noexec)
+TASK_PFA_CLEAR(SPEC_SSB_NOEXEC, spec_ssb_noexec)
+
 TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
 TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
 
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index b4875a93363a..094bb03b9cc2 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -219,6 +219,7 @@ struct prctl_mm_map {
 # define PR_SPEC_ENABLE                 (1UL << 1)
 # define PR_SPEC_DISABLE                (1UL << 2)
 # define PR_SPEC_FORCE_DISABLE          (1UL << 3)
+# define PR_SPEC_DISABLE_NOEXEC         (1UL << 4)
 
 /* Reset arm64 pointer authentication keys */
 #define PR_PAC_RESET_KEYS               54
diff --git a/tools/include/uapi/linux/prctl.h b/tools/include/uapi/linux/prctl.h
index b4875a93363a..094bb03b9cc2 100644
--- a/tools/include/uapi/linux/prctl.h
+++ b/tools/include/uapi/linux/prctl.h
@@ -219,6 +219,7 @@ struct prctl_mm_map {
 # define PR_SPEC_ENABLE                 (1UL << 1)
 # define PR_SPEC_DISABLE                (1UL << 2)
 # define PR_SPEC_FORCE_DISABLE          (1UL << 3)
+# define PR_SPEC_DISABLE_NOEXEC         (1UL << 4)
 
 /* Reset arm64 pointer authentication keys */
 #define PR_PAC_RESET_KEYS               54